Newsroom

Press Release

Gartner Says Number of Phishing E-Mails Sent to U.S. Adults Nearly Doubles in Just Two Years

Thieves Are Targeting Wealthier Consumers While Impersonating Banks Less Often But Leveraging Less-Conventional Brands and Methods to Pull Off Their Scams

The number of U.S. adults that are sure or think that they have received phishing e-mails has nearly doubled since 2004, according to a survey by Gartner, Inc. Financial losses stemming from phishing attacks have risen to more than $2.8 billion in 2006.

"The good news is that, this year, fewer people think they lost money to phishers, but when they did lose, they lost more," said Avivah Litan, vice president and distinguished analyst at Gartner. "The average loss per victim nearly quintupled between 2005 and 2006, and the thieves seem to be targeting higher-income earners who are also more likely to transact on the Internet."

According to the survey, approximately 109 million U.S. adults have received phishing e-mail attacks, up from 57 million U.S. adults in 2004. The average loss per victim has grown from $257 to $1,244 per victim in 2006. The average amount of money consumers recovered from phishing attacks in 2005 was 80%, but in 2006, recovery amounts dropped to 54%.

High-income adults earning more than $100,000 per year are more heavily attacked. This group reported receiving an average of 112 phishing e-mails in the past year versus 74 e-mails per consumers across all income brackets. The high-income adults lost on average $4,362, almost four times as much as other victims.

Phishing e-mails that reach consumers are impersonating banks less often, and other brands, such as PayPal and eBay, more often. Banks and credit card company refunds to consumers who lost money because of phishing attacks are declining as a percentage of total refunds, while refunds from non-financial services companies and retailers are growing as a percentage of total funds.

"Cyber-criminals are starting to shift away from attacking online banks directly, and they are leveraging less conventional brands and/or using hard to detect social engineering methods to reap financial gains," Ms. Litan said. "Countermeasures such as phishing detection and take-down services deployed by banks, Internet service providers (ISPs) and other service providers are obviously not sufficiently widespread or effective."

According to the Gartner survey of 5,000 online adults in August 2006, an estimated 24.4 million Americans have clicked on a phishing e-mail in 2006, up from approximately 11.9 million in 2005, while 3.5 million have given sensitive information to the phishers, up from 1.9 million adults last year.

Recent browser upgrades (such as with Microsoft’s Internet Explorer and Mozilla’s Firefox) will try and flag known phishing attack sites to consumers, but Gartner analysts said many attacks could still slip by.

"Many of the browser upgrades are still incomplete and immature in terms of protections afforded," Ms. Litan said. "For at least two more years, phishing attacks will continue to increase since it’s still a lucrative business for the perpetrators."

The fear of phishing attacks is having a dramatic impact on non-solicited e-mails, as more adults delete e-mails if they don’t know the person sending them. "Among respondents who say their trust in e-mail has been adversely affected by the recent spate of security-related incidents, 85% delete e-mails they don’t trust without opening them first."

"The anti-phishing measures some enterprises have put in place to protect their brand and their consumers are not working," Ms. Litan said. "Phishers are moving from site to site to launch their attacks more quickly than ever. The average life of phishing sites has gone from one week a couple years ago to about one hour in 2006. Within a year or so, phishing sites may be user specific — that is a single site will be set up to launch a phishing attack against a single user. It’s no wonder the detection services can’t keep up with these rapid criminal movements."

Ms. Litan will provide more detailed analysis at the Gartner Identity & Access Management Summit, November 29-December 1 at the JW Marriott Las Vegas Resort. The inaugural Gartner Identity & Access Management Summit is designed to help organizations address the growing exposure that identity and access management (IAM) inefficiencies and lapses create. The Summit’s three research tracks focus on the business impact of IAM, the practical applications IAM organizations are using today, and the future direction of IAM technologies. Additional information is available at www.gartner.com/us/iam. Members of the media can register for a press pass by contacting christy.pettey@gartner.com.

Contacts

About Gartner

Gartner, Inc. (NYSE: IT) is the world's leading information technology research and advisory company. The company delivers the technology-related insight necessary for its clients to make the right decisions, every day. From CIOs and senior IT leaders in corporations and government agencies, to business leaders in high-tech and telecom enterprises and professional services firms, to technology investors, Gartner is the valuable partner to clients in approximately 10,000 distinct enterprises worldwide. Through the resources of Gartner Research, Gartner Executive Programs, Gartner Consulting and Gartner Events, Gartner works with every client to research, analyze and interpret the business of IT within the context of their individual role. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, USA, and has 6,800 associates, including more than 1,500 research analysts and consultants, and clients in 90 countries. For more information, visit www.gartner.com.

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.